Merge pull request #3040 from xiang90/fix_auth

Fix auth
2024-09-27 06:25:44 +00:00 · 2015-06-23 13:47:25 -07:00
parent cf050ee21d c8628c8fe5
commit 37933cffa4
2 changed files with 28 additions and 19 deletions
--- a/etcdserver/auth/auth.go
+++ b/etcdserver/auth/auth.go
@@ -97,6 +97,10 @@ type Permissions struct {
 	KV rwPermission `json:"kv"`
 }

+func (p *Permissions) IsEmpty() bool {
+	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
+}
+
 type rwPermission struct {
 	Read  []string `json:"read"`
 	Write []string `json:"write"`
@@ -297,16 +301,6 @@ func (s *Store) GetRole(name string) (Role, error) {
 	return r, nil
 }

-func (s *Store) CreateOrUpdateRole(r Role) (role Role, created bool, err error) {
-	_, err = s.GetRole(r.Role)
-	if err == nil {
-		role, err = s.UpdateRole(r)
-		created = false
-		return
-	}
-	return r, true, s.CreateRole(r)
-}
-
 func (s *Store) CreateRole(role Role) error {
 	if role.Role == RootRoleName {
 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
--- a/etcdserver/etcdhttp/client_auth.go
+++ b/etcdserver/etcdhttp/client_auth.go
@@ -208,20 +208,35 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri
 			return
 		}
 		if in.Role != role {
-			writeError(w, httptypes.NewHTTPError(401, "Role JSON name does not match the name in the URL"))
+			writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON name does not match the name in the URL"))
 			return
 		}
-		newrole, created, err := sh.sec.CreateOrUpdateRole(in)
-		if err != nil {
-			writeError(w, err)
-			return
-		}
-		if created {
+
+		var out auth.Role
+
+		// create
+		if in.Grant.IsEmpty() && in.Revoke.IsEmpty() {
+			err = sh.sec.CreateRole(in)
+			if err != nil {
+				writeError(w, err)
+				return
+			}
 			w.WriteHeader(http.StatusCreated)
+			out = in
 		} else {
+			if !in.Permissions.IsEmpty() {
+				writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "Role JSON contains both permissions and grant/revoke"))
+				return
+			}
+			out, err = sh.sec.UpdateRole(in)
+			if err != nil {
+				writeError(w, err)
+				return
+			}
 			w.WriteHeader(http.StatusOK)
 		}
-		err = json.NewEncoder(w).Encode(newrole)
+
+		err = json.NewEncoder(w).Encode(out)
 		if err != nil {
 			plog.Warningf("forRole error encoding on %s", r.URL)
 			return
@@ -315,7 +330,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri
 			return
 		}
 		if u.User != user {
-			writeError(w, httptypes.NewHTTPError(400, "User JSON name does not match the name in the URL"))
+			writeError(w, httptypes.NewHTTPError(http.StatusBadRequest, "User JSON name does not match the name in the URL"))
 			return
 		}
 		newuser, created, err := sh.sec.CreateOrUpdateUser(u)